Biometrics & Authentication Technologies: security issues. Andy Adler Systems and Computer Engineering Carleton University, Ottawa

1

Andy Adler

Systems and Computer Engineering Carleton University, Ottawa

Biometrics & Authentication

Technologies: security issues

What are

Biometrics

Automatic identification of an individual based on behavioural or physiological characteristics

3

What are

Biometrics

Automatic identification of an individual based on behavioural or physiological characteristics Computer based ie. fast Forensics _{is the} science of humans identifying humans

What are

Biometrics

Automatic identification of an individual based on behavioural or physiological characteristics Two types: 1. Verification 2. Identification

5

What are

Biometrics

Automatic identification of an individual based on behavioural or physiological characteristics Biometrics is only about identity of individual. Other technologies manage security

What are

Biometrics

Automatic identification of an individual based on behavioural or physiological characteristics Behavioural biometrics: • Gait • Voice • Typing dynamics • Signature

7

What are

Biometrics

Automatic identification of an individual based on behavioural or physiological characteristics Physiological Biometrics • Fingerprint • Face • Iris • Retina • Hand Geometry • Dental shape • DNA …

What is Biometrics security

Somewhat difficult to define

Biometric systems implicitly have an “attacker”

My definition: biometrics security is against

Stronger attacks than zero-effort impostors

9

Taxonomy

Presentation attacks (spoofing)

appearance of the biometric sample is physically

changed or replaced.

Biometric processing attacks:

an understanding of the biometric algorithm is used to

cause incorrect processing and decisions, Software and networking vulnerabilities:

based on attacks against the computer and networks

on which the biometric systems run, and Social attacks:

11

Biometrics Vulnerabilities

Taxonomy (from Maltoni et al, 2003):

Circumvension

Covert acquisition Collusion / Coercion Denial of Service

Biometrics Security Issues

Biometrics are not secrets

Biometrics cannot be revoked

13

IdentityClaim

[A]

ID Claim (via token)

needed for most biometric functions

Presentation

[B]

Makeup / tilt head / cut fingerprints

Avoid detection (False Neg) easier than

15

Presentation

[B]

Spoofing: Attempt to fool biometric system with artificial biometric

Fingerprint: gummy, etching, mould Face, Iris, Voice

Liveness: Approach to detect spoofing attempts

Sensor

[C]

Subvert or replace

sensor hardware

Eavesdropping / replay

17

Segmentation

[D]

Segmentation isolates

biometric image from background

Feature

Extraction [E]

Use knowledge of algorithm to construct

“features” to confuse algorithm

Biometric “Zoo”

Sheep – system performs well Goats – difficult to recognize Lambs – easy to imitate

19

Quality

Control [F]

Quality used to

prevent enrolment of poor images

Misclassify as good – force decrease of

internal thresholds

Template

Creation [G]

Regeneration of

21

Data

Storage [H]

Storage in: Government database ID card Electronic Devices

Matching [I]

Need

threshold (single biometric)

fusion parameters (multiple biometrics)

Modify threshold choices by specific

template enrolments

23

Security issues

Biometric system Identity verification system Release Crypto keys Single Sign-on sub-Lookout system Authenticate Credit card Authenticate Internet app Supervised sensor unsupervised desktop Authenticate via internet unsupervised public

Biometric template security [E]

It is claimed to be impossible or infeasible to recreate the enrolled image from a template. Reasons:

templates record features (such as fingerprint

minutiae) and not image primitives

templates are typically calculated using only a small

portion of the image

templates are much smaller than the image

proprietary nature of the storage format makes

25

Images can be

regenerated

…?

Typical Biometric processing

Question: Is this possible?

enrolled “Image” Template Biometric Compare Match Score Template regenerated “Image” live “Image”

Target Initial

Images

Hill-climbing: begin with a guess, make small modifications; keep modifications which

increase the match score

27

A

B

Iteration 4000 Target Image Iteration 600 Iteration 200 Initial Image

Results

Improved regenerated image

Average of 10

29

Extensions to this approach

Recently, this approach has been extended to fingerprint images

U.Uludag developed an approach to

modify a collection of minutiae

A.Ross has developed a fingerprint image

Protection:

According to BioAPI

“…allowing only discrete increments of

score to be returned to the application eliminates this method of attack.”

Idea: most image modifications will not

31

Modified “hill-climbing”

IM_i

+

RN Until MS reduces by one quantized level

+

Keep image With largest MS IM_i+1 EF_k Q OQ

Results: modified “hill-climbing”

No quantization “medium” quant. “large” quant.

33

Implications: image regeneration

1. Privacy Implications

ICAO passport spec. has templates

encoded with public keys in contactless chip

ILO seafarer’s ID has fingerprint template in

Implications: image regeneration

2. Reverse engineer algorithm

Regenerated images tell you what the

algorithm ‘really’ considers important

Alg. #3 Alg. #2

Alg. #1

Target _{doesn’t care}

about nose width

35

Implications: image regeneration

3. Crack biometric encryption

Biometric encryption seeks to embed a key into the template. Only a valid image will decrypt the key

Since images vary

Enrolled image + ∆ _{=> release key}

However

Enrolled image + ∆ ₊ ε _{=> no release}

If we can get a measure of how close we are, they we can get a match score

Biometric Encryption

Recent paper by Ontario Information and

Privacy Commissioner

“Biometric Encryption: A Positive-Sum

Technology that Achieves Strong

Authentication, Security AND Privacy”

37

My concern:

Biometric Encryption (and biometric

cryptographic schemes in general) only offer benefits if they are cryptographically secure. If they are not cryptographically secure, then they offer no benefit at all.

39

Biometric encryption

(Soutar, 1998)

Average pre-aligned enrolled

image (f₀)

Calculate template from Wiener

filter

H₀ = F*R₀* / ( F*F + N² )

where R₀ has phase ±π/2, ampl = 1

Each bit of secret is linked to

Crack biometric encryption

Construct match-score from number of

matching elements in link table

Use quantized template reconstructor

enrolled e rce n t a tch e d

41

Fuzzy Vaults for fingerprints

(Clancy, 2003)

Fuzzy Vault encryption

Encode key (k_1,k_2,k_3,k₄₎ in polynomial

coefficients

Template is point co-ordinates

43

Fuzzy Vault key-release

Find polynomial coefficients which best fit

to the identified points

A few wrong points are OK

Y(x)=k₁+k₂x+k₃x2+k₄x3

b₁ b₂ b₄ b₅ b₆ Unlocking set: b₃

Collusion Attack

Users’ fingerprints may be associated with

many vaults.

Ex: In the smart card implementation, users

will likely carry multiple smart cards associated with different companies, each locked with the same fingerprint.

Is Fuzzy Vault secure when the same

45

Collusion Attack

Summary

Almost everyone is inventing schemes;

very few are breaking them.

However,

Anyone can invent a security system that he himself cannot break.

47

Face Recognition: Human vs.

Automatic Performance

Same person?

I have just demonstrated a massively

parallel face recognition computer

Of all biometric modalities, automatic face

recognition is most often compared to human performance

49

Choice of images

Goldilocks problem:

Too easy test -> all score 100% Too hard test -> all score 0%

Database used: NIST Mugshot

Large age changes between captures

Analysis

Human results

Post-processed to choose optimal “threshold”

for them

An operating point FMR/FNMR calculated

Software results

Same images presented to FR software

(worked with 15 packages – 7 vendors)

Results

Error rates are high

Significant improvement in SW 1999-2006 Most recent algs outperform about half of

people

53

information content of a

biometric measurement?

Or

How much do we learn (about identity)

from a biometric image Or

How much privacy do we loose on

Example: measure

Height

Measure #1 (at doctor’s office, ie. accurate)

Measure #2 (via telescope, ie. inaccuate)

Overall Distribution Feature Variability (high heels, carry backpack) Measurement Variability (device errors)

55

Example: measure

Height

How much information learned?

Measure #2 Measure #1 Low Almost zero Quite a lot Low Tall (7½’ tall) Average (5½’ tall) Know about

Human heights Measure

Know about: Human heights Person’s height

Proposed measure:

relative entropy D

(

p

||

q

)

Given biometric feature vector x Distributions

intra-person distribution, p(x) inter-person distribution, q(x)

D(p||q) measures inefficiency of assuming q

when true distribution is p Or,

57

Applications:

biometric

Meta algorithm

Evaluate a new biometric feature

Biometric Performance limits

Template size limits

Inherent match performance limits

Feasibility of Biometric Encryption

Applications:

abstract

Quantify privacy

What is the privacy risk due to the release of

certain information?

What is the privacy gain in obscuring faces?

Uniqueness of biometrics

Approach to address: “Are faces / fingerprints

59

Conclusions

Approach to measuring information

content of a biometric system

Relative Entropy is appropriate measure

Help explain legal, social, performance

Biometrics in Canada (Gov't)

Passports Immigration Customs Defence Natural Resources Public Safety

61

Privacy issues

There are widespread privacy concerns

about biometrics.

This is not really a biometrics issue.

Companies/Governments have proved themselves irresponsible with personal data. Now people are stonewalling.

Have you ever checked your credit

record?

Epilogue:

biometrics’ future

?

Operator: "Thank you for calling Pizza Hut."

Customer: “Two All-Meat Special..."

Operator: "Thank you, Mr. Smith. Your voice print

identifies you with National ID Number: 6102049998"

Customer: (Sighs) "Oh, well, I'd like to order a couple of your All-Meat Special pizzas..."

Operator: "I don't think that's a good idea, sir."

Customer: "Whaddya mean?"

Operator: "Sir, your medical records indicate that you've got very high blood pressure and cholesterol. Your Health Care provider won't allow such an unhealthy

63

Epilogue:

Operator: "You might try our low-fat Soybean Yogurt Pizza. I'm sure you'll like it"

Customer: "What makes you think I'd like something like that?"

Operator: "Well, you checked out 'Gourmet Soybean Recipes' from your local library last week, sir."

Customer: “OK, lemme give you my credit card number."

Operator: "I'm sorry sir, but I'm afraid you'll have to pay in cash. Your credit card balance is over its limit."

Customer: "@#%/$@&?#!"

Operator: "I'd advise watching your language, sir. You've already got a July 2006 conviction for cussing … "

Andy Adler

Systems and Computer Engineering Carleton University, Ottawa

Biometrics & Authentication

Technologies: security issues